This is the first vulnerability i discovered during the PayPal bug bounty program on the first day of the program, i thought its about time i’d share it with ya all.

Vulnerability Details:

An attacker is able to inject and execute a malicious payload on a remote user account without the need to convince the victim to click anything, it only requires the user to login to his PayPal account.

The vulnerability is caused due to the lack of input validation and sanitization of the “Business Name” field.

This issue enables the attacker to change his business name to a malicious Javascript payload, this will cause for a Stored (Self) XSS to trigger in the attacker account under his Profile – Account Information – Street Address.
I was looking for a way to trigger this XSS on a remote user account and found that the payload can also be triggered by sending a Payment request.

These are the steps that were required in order to exploit this issue :

1. The attacker change his business name to a malicious javascript payload.
2. The attacker sends a payment request to the victim.
3. Once the user logs in to his account the payment request appears on the “Recent Activities” chart which loads on the main account page.
4. The XSS triggers on the user automatically when it tries to load the attacker business name.

I would like to thank PayPal for the opportunity to participate in this wonderful program and rewarding me for this bug.